From 07bca16fc8b2e3de770a8d6d2910321091765efc Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 28 Oct 2021 15:10:42 +0200 Subject: [PATCH] nspawn: make sure to chown() implicit source dirs for --bind= to container root UID This makes sure that a switch like --bind=:/foo does the right thing if user namespacing is one: the backing dir should be owned by the container's root UID not the host's. Thus, whenever the source path is left empty and we automatically generate a source dir as temporary directory, ensure it's owned by the right UID. Fixes: #20869 --- src/nspawn/nspawn-mount.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index 751e270c6cf..2bfff79cde5 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -726,6 +726,11 @@ static int mount_bind(const char *dest, CustomMount *m, uid_t uid_shift, uid_t u return r; } + /* If this is a bind mount from a temporary sources change ownership of the source to the container's + * root UID. Otherwise it would always show up as "nobody" if user namespacing is used. */ + if (m->rm_rf_tmpdir && chown(m->source, uid_shift, uid_shift) < 0) + return log_error_errno(errno, "Failed to chown %s: %m", m->source); + if (stat(m->source, &source_st) < 0) return log_error_errno(errno, "Failed to stat %s: %m", m->source); -- 2.47.3